Is xss_clean enough to stop SQL injection attacks or to be safe?

[eluser]bugboy[/eluser]
Hi I'm asking this as i'm creating a service that requires a form to be very secure and safe from user input but it has to be public facing

I suppose a bit like a contact form or search form which access a database to get data out and back.

Also when you run the validation class is the data prepped and ready to be inserted into the database?

for example:

Code:

$this->form_validation->set_rules('field', 'Field', 'trim| required|xss_clean');
if (!$this->form_validation->run() == FALSE)
{
// is this data now safe to insert and use?
$data = $this->input->post('field');
$this->some_model->insert($data);
}

Once the this->form_validation->set_rules(); has been done does that mean that $this->input->post() is safe to use in the database?

Also do i need to run htmlentities() in this->form_validation->set_rules()

[eluser]rogierb[/eluser]
Usually it is save enough when you use $this->input->post() and have global_xss_filtering to true.
I always try to use type casting aswell.

Code:

$data = (int) $this->input->post('integer_field');
$data = (float) $this->input->post('decimal_field');

And using AR escapes you query. So that gives you some extra protection.
The validation class itself does not clean variables, it merely checks if they are save enough.
The $this->input->post() does filter.

[eluser]bugboy[/eluser]
Ok thanks rogierb

I haven't got global xss_filtering set to true.

I've read that you can set xss_clean on each post value by using $this->input->post('field', TRUE);

So The $this->input->post() does filter. ? or doesn't?

I do use the AR library as well so what i put is pretty safe?

I'm going to look into typecasting as well now.

[eluser]rogierb[/eluser]
If you only use $this->input->post(), ir get's cleaned just a bit(stripslashes).
Adding TRUE or enabling global_xss_filtering will filter the value.

Note that the xss_clean() method is pretty good but someone might get through it.
Also, account for CSRF by adding a unique identifier to your form or by using the CSRF plugin found here: http://ellislab.com/forums/viewthread/92399/
I do both. The unique identifier is used for both CSRF and people posting twice. The plugin is just for CSRF

[eluser]bugboy[/eluser]
Thanks once again

So from what your saying CI is pretty secure to begin with, we can just do that little extra to help things along the way.

Such as enabling xss_filtering globally or via the $this->input->post('field' TRUE); and using that pluging to help against Cross Site Requests.

Would i i be advised to run htmlentities() on the data before inputting it?

Also is there anyway i can check my forms to see if they are safe?

Cheers once again

[eluser]rogierb[/eluser]
If you can get your hands on the program from http://www.acunetix.com/websitesecurity/ you can check almost everything about your website. It comes up with the strangest things. Just be patient cause it takes a loooong time to complete.

And yes you can use htmlentities() just to make sure, but xss_clean will filter possible malicious html tags.

[eluser]CroNiX[/eluser]
[quote author="rogierb" date="1259263527"]
The validation class itself does not clean variables, it merely checks if they are save enough.
[/quote]
Actually it does if you pass it rules like "xss_clean" or "encode_php_tags" or a custom callback that performs some additional manipulation.

[eluser]bugboy[/eluser]
Hi

so if it does clean up the data how do you access it? Via $this->input->post()?

[eluser]skunkbad[/eluser]
set_value()

[eluser]bugboy[/eluser]
Well after digging around in the form_validation library i found this function call

// Now we need to re-set the POST data with the new, processed data
$this->_reset_post_array();

So it looks like the post data is updated after the form validation is run

After the validation is done the post data is updated with a $this->input->post('field);